CVE-2010-0232 in Windowsinfo

Summary

by MITRE

The kernel in Microsoft Windows NT 3.1 through Windows 7, including Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, and Windows Server 2008 Gold and SP2, when access to 16-bit applications is enabled on a 32-bit x86 platform, does not properly validate certain BIOS calls, which allows local users to gain privileges by crafting a VDM_TIB data structure in the Thread Environment Block (TEB), and then calling the NtVdmControl function to start the Windows Virtual DOS Machine (aka NTVDM) subsystem, leading to improperly handled exceptions involving the #GP trap handler (nt!KiTrap0D), aka "Windows Kernel Exception Handler Vulnerability."

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 04/22/2026

This vulnerability represents a critical privilege escalation flaw in the Windows kernel affecting multiple operating system versions from Windows NT 3.1 through Windows 7. The issue stems from improper validation of BIOS calls within the Virtual DOS Machine subsystem when 16-bit application support is enabled on 32-bit x86 platforms. The vulnerability specifically targets the interaction between the Thread Environment Block and the VDM_TIB data structure, creating a pathway for local attackers to elevate their privileges through carefully crafted system calls.

The technical exploitation involves manipulating the Thread Environment Block to construct a malicious VDM_TIB structure, which when processed through the NtVdmControl function triggers the Windows Virtual DOS Machine subsystem. This process leads to improper handling of exceptions within the #GP trap handler located at nt!KiTrap0D, creating a kernel-level vulnerability that bypasses normal privilege boundaries. The flaw operates at the kernel level, making it particularly dangerous as it allows local users to gain elevated privileges without requiring authentication or network access.

From an operational perspective, this vulnerability has significant implications for system security and stability. The attack requires local system access and knowledge of the specific kernel structures, but once exploited, it provides complete system compromise. The vulnerability affects enterprise environments where legacy 16-bit application support is enabled, particularly in older Windows Server deployments and systems that maintain compatibility with legacy DOS applications. The impact extends beyond individual systems to potentially compromise entire network infrastructures where privileged accounts might be compromised.

The vulnerability aligns with CWE-119 which describes "Improper Access to Memory" and maps to ATT&CK technique T1068, "Exploitation for Privilege Escalation" within the privilege escalation category. Mitigation strategies include disabling 16-bit application support when not required, applying Microsoft security updates, and implementing least privilege principles to limit local user access. Organizations should also monitor for suspicious process behaviors related to NtVdmControl calls and ensure proper patch management protocols are in place. The vulnerability highlights the ongoing security challenges associated with maintaining backward compatibility in operating system kernels, particularly when legacy subsystems interact with modern privilege management mechanisms.

Reservation

01/07/2010

Disclosure

01/21/2010

Moderation

accepted

Entry

VDB-51632

CPE

ready

Exploit

Download

EPSS

0.29253

KEV

yes

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!